What is WannaSmile ransomware? And how does it function?

WannaSmile ransomware is an encryption which has first emerged on November 16, 2017. According to security experts, it is a ransomware variant of zCrypt ransomware and seems to be targeting majority of the users in Farsi speaking regions. Just like a typical ransomware infection, WannaSmile is designed to encrypt its victims’ files using an encryption algorithm and in WannaSmile’s case, it utilizes both the AES and RSA algorithms in encrypting its targeted files and appends the. WSmile extension on each one of the files. After its encryption attack, WannaSmile creates a file named How to decrypt files.html which contains the ransom note that reads:

“WARNING!

Your system is infected with tactic WannaSmile Ransomware virus, all your important files, including databases and backups, are encrypted with complex encryption algorithms, so you will not be able to access files, only we can decrypt.

In the event that we do not receive a fee for our bitcoin-purse a maximum of 5 days after infection, then 1 bitcoin will be added daily to the original amount (20 bitcoins).

You must pay an amount of 20 bitcoins to decrypt your files at the following address:

[RANDOM CHARCTERS]

And once you pay, do not forget to send us an email to wannasmile@tuta.io so we can send you a file from which you can restore all the files and infected systems to their original state.

Developers of WannaSmile threaten to increase the ransom amount which is 20 BTC if its victims fail to pay the demanded ransom within 5 days. 20 BTC is a huge amount of money, so if you are one of the victims of this ransomware, trying out alternative ways to recover your encrypted files is better than paying the ransom. In fact, paying the ransom is not recommended as there is no assurance that the crooks behind WannaSmile ransomware will really decrypt the encrypted files. But before you try out alternatives to recover your files, terminating WannaSmile ransomware should be on top of your list.

How does WannaSmile ransomware spread its malicious payload?

WannaSmile ransomware is most likely to spread using spam email campaigns. Usually, hackers try to impersonate legitimate and well-known companies to lure users into opening the email and downloading the attachment in it. The attachment may be a macro-enabled document which contains malicious scripts that when opened, will launch WannaSmile ransomware into the system. This ransomware could also spread as fake software updates or fake software found on malicious websites. To avoid WannaSmile ransomware infiltration, you should stir clear of any suspicious emails from your inbox. You should also avoid downloading free software or software updates from suspicious websites as it might contain WannaSmile ransomware’s malicious payload. It would also greatly help if you keep both your system and antivirus program up-to-date at all times to increase your computer’s resistance against these kinds of threats.

Refer to the following guide to terminate WannaSmile ransomware from your PC as well as recover your encrypted files.

Step 1: Tap Ctrl + Shift + Esc keys to open the Task Manager.

Step 2: After opening the Task Manager, look for WannaSmile ransomware’s malicious process that could be named client.exe, right click on it and select End Process or End Task.

Step 3: Close the Task Manager.

Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.

Step 4: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 5: Navigate to the following path:

HKEY_CURRENT_USER\Control Panel\Desktop\

HKEY_USERS\.DEFAULT\Control Panel\Desktop\

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Step 6: Look for a value named WANNASMILE created by WannaSmile ransomware and delete it.

Step 7: Close the Registry Editor and open Control Panel by pressing the Windows key + R, then type in appwiz.cpland then click OK or press Enter.

Step 8: Look for WannaSmile ransomware or any suspicious program and then Uninstall it/them.

Step 9: Tap Win + E to launch File Explorer.

Step 10: After opening File Explorer, navigate to the following locations below and look for WannaSmile ransomware’s malicious components such as the html file named How to decrypt files.html as well as the malicious file WannaSmile ransomware came with.

%TEMP%

%APPDATA%

%USERPROFILE%\Downloads

%USERPROFILE%\Desktop

Step 11: Close the File Explorer.

Step 12: Empty your Recycle Bin.

Try to recover your encrypted files using the Shadow Volume copies

Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if WannaSmile ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.

To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Make sure that you have completely removed WannaSmile ransomware from your computer, to do so, follow the advanced removal guide below.

Perform a full system scan using SpyRemover Pro. To do so, follow these steps:

Turn on your computer. If it’s already on, you have to reboot

After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.

To navigate the Advanced Option use the arrow keys and select SafeMode with Networking then hit